Password Spraying
Password Policy
Enumerate password policy in the domain:
$ cme smb 10.10.13.37 -u snovvcrash -p 'Passw0rd!' --pass-pol
Cmd > net accounts /domain
PS > Get-ADDefaultDomainPasswordPolicy
PV3 > Get-DomainPolicyData | select -ExpandProperty SystemAccessExample of net accounts output:
Minimum password age (days):
Минимальный срок действия пароля (дней):
1
Maximum password age (days):
Максимальный срок действия пароля (дней):
90
Minimum password length:
Минимальная длина пароля:
10
Length of password history maintained:
Хранение неповторяющихся паролей:
24
Lockout threshold:
Блокировка после ошибок ввода пароля:
7
Lockout duration (minutes):
Длительность блокировки (минут):
30
Lockout observation window (minutes):
Сброс счетчика блокировок через (минут):
30
Fine-Grained Password Policies
Map FGPPs to the users they're being applied to (need admin privileges by default):
Validate Domain Users
Validate against KDC (doesn't cause accounts lock out) via Kerberos with NetExec:
Validate via cLDAP (LDAP Ping) with ldapnomnom/ldeep:
Validate via MS-NRPC (Netlogon) with NauthNRPC:
Get Domain Users
Non-Authenticated (Null Session)
If SMB null sessions are allowed on the DC, an adversary can get a list of all domain users via RID Cycling.
Another approach is to manually request all users via RPC ($IPC share):
CrackMapExec
rpcclient:
net:
smbclient (check):
Authenticated
Query LDAP for all domain user accounts via GetADUsers.py:
Query LDAP for all domain user accounts via windapsearch:
Query LDAP for all active domain user accounts via go-windapsearch:
Shadow Spray
Tools
MSF
kerbrute
Generate a wordlist of common usernames in an appropriate format and validate it against KDC (doesn't cause accounts lock out):
Perform password spraying for discovered accounts:
pyKerbrute
smartbrute
Spray single hash against a list of users:
Get domain password policy and active users:
Launch smart password spray with a hash:
DomainPasswordSpray
Last updated